Storing images outside of html root

I plan to use a database to store the path of an image so that I can
dynamically show an image to an authorized user that has logged in.

My question is that if I store the images under the html root, than
theoretically, people cold guess the path to other images if they view
the source and see where the images are coming from. For example, if
they see that an image is coming from the /images folder then they could
guess the name of another images.

Is it possible to store the images outside of the root, like you would
store a database?

For example, I have my html files stored in the html root folder and my
database in a database folder outside of the html root folder to prevent
people from browsing to the database. I tried to store an image in the
database folder, create a page and link the src of the image to the
direct path in the server (d:\database folder on server\image.jpg). But,
the image did not display.

I do not want to store the image in the database. So, is my only
solution to just put the images inside the html root and then hope
people do not guess the name of other images?

Thanks
Steve

Steve,
I think the 'view source' code is always going to display the image path &
name, unless you could find a way to disable that, most unlikely.
turn off IE's image tools on the page
write "" to the status bar
or disable right-clicks

Craig

"omegaskl" <omegaskl (AT) BLOCK (DOT) comcast.net> wrote

Quote:

I plan to use a database to store the path of an image so that I can
dynamically show an image to an authorized user that has logged in.

My question is that if I store the images under the html root, than
theoretically, people cold guess the path to other images if they view
the source and see where the images are coming from. For example, if
they see that an image is coming from the /images folder then they could
guess the name of another images.

Is it possible to store the images outside of the root, like you would
store a database?

For example, I have my html files stored in the html root folder and my
database in a database folder outside of the html root folder to prevent
people from browsing to the database. I tried to store an image in the
database folder, create a page and link the src of the image to the
direct path in the server (d:\database folder on server\image.jpg). But,
the image did not display.

I do not want to store the image in the database. So, is my only
solution to just put the images inside the html root and then hope
people do not guess the name of other images?

Thanks
Steve

If I'm not mistaken, accessing files outside the documents root is a no-no because it will open your system to everyone on the net and poses a serious security risk.

Craig wrote:

Quote:

I think the 'view source' code is always going to display the image path &
name, unless you could find a way to disable that, most unlikely.
turn off IE's image tools on the page
write "" to the status bar
or disable right-clicks

None of those are effective methods of protecting images.


Gary

On 19 Jul 2004 in macromedia.dreamweaver, omegaskl wrote:

Quote:

I do not want to store the image in the database. So, is my only
solution to just put the images inside the html root and then hope
people do not guess the name of other images?

Your only solution, if you do not want people 'getting' your images, is
not to post them to the web. As soon as they are viewed, they are
resident on the viewer's computer. That's the fundamental nature of the
Web.

--
Joe Makowiec
http://makowiec.net/
Email: http://makowiec.net/email.php

.oO(omegaskl)

Quote:

I plan to use a database to store the path of an image so that I can
dynamically show an image to an authorized user that has logged in.
[...]
Is it possible to store the images outside of the root, like you would
store a database?

No, images have to be accessible via an URL, i.e. they have to be stored
somewhere under the document root. A browser has no direct access on
files that are stored outside, you need a script for streaming the file.

Quote:

I do not want to store the image in the database. So, is my only
solution to just put the images inside the html root and then hope
people do not guess the name of other images?

No. Put them somewhere on the server outside the document root and use a
script for delivery (of course the script has to be accessible with a
browser). The script checks if the user is authenticated and then sends
the requested image.

For more informations or hints you have to post some more details (what
server, database, what server-side scripting language ...).

Micha

So what you are saying is that I can put them in the same folder that my
database resides (outside html root) and use a script to delver the
images? That sounds cool.

Right now, I am using IIS, Access and VB Script. I authenticate the user
using Dreamweavers Login User Server Behavior.

What I have seen other sites do is just name the image being served a
random string, such as GhJuY67.jpg. That would make it real difficult
for people to guess that image A goes with database record A. I am
willing to do that as well if your method is not possible.

Steve

On 7/19/2004 9:24 AM, Michael Fesser wrote:

Quote:

.oO(omegaskl)


I plan to use a database to store the path of an image so that I can
dynamically show an image to an authorized user that has logged in.
[...]
Is it possible to store the images outside of the root, like you would
store a database?


No, images have to be accessible via an URL, i.e. they have to be stored
somewhere under the document root. A browser has no direct access on
files that are stored outside, you need a script for streaming the file.


I do not want to store the image in the database. So, is my only
solution to just put the images inside the html root and then hope
people do not guess the name of other images?


No. Put them somewhere on the server outside the document root and use a
script for delivery (of course the script has to be accessible with a
browser). The script checks if the user is authenticated and then sends
the requested image.

For more informations or hints you have to post some more details (what
server, database, what server-side scripting language ...).

Micha

I agree with all you, kinda.
Ultimately Joe is absolutely correct, if its been seen it's on the computer.
You seem to be protecting something worthy of the Pentagon - which has been
hacked, so why bother?
If you want the simplest solution, its your own - disassociate the record
and file name. But is it worth it? Will you remember what's associated with
what?

Craig


"omegaskl" <omegaskl (AT) BLOCK (DOT) comcast.net> wrote

Quote:

So what you are saying is that I can put them in the same folder that my
database resides (outside html root) and use a script to delver the
images? That sounds cool.

Right now, I am using IIS, Access and VB Script. I authenticate the user
using Dreamweavers Login User Server Behavior.

What I have seen other sites do is just name the image being served a
random string, such as GhJuY67.jpg. That would make it real difficult
for people to guess that image A goes with database record A. I am
willing to do that as well if your method is not possible.

Steve

On 7/19/2004 9:24 AM, Michael Fesser wrote:

.oO(omegaskl)


I plan to use a database to store the path of an image so that I can
dynamically show an image to an authorized user that has logged in.
[...]
Is it possible to store the images outside of the root, like you would
store a database?


No, images have to be accessible via an URL, i.e. they have to be stored
somewhere under the document root. A browser has no direct access on
files that are stored outside, you need a script for streaming the file.


I do not want to store the image in the database. So, is my only
solution to just put the images inside the html root and then hope
people do not guess the name of other images?


No. Put them somewhere on the server outside the document root and use a
script for delivery (of course the script has to be accessible with a
browser). The script checks if the user is authenticated and then sends
the requested image.

For more informations or hints you have to post some more details (what
server, database, what server-side scripting language ...).

Micha

Yeah, I am not concerned about people copying the image, just accessing
ones they are not authorized to see. So, the random file name seems like
a good idea. I'll just keep a record of what photo goes with what record.

Of course, I could just put the images in a password protected
directory, but that will not work since I am authenticating via a database.

Steve


On 7/19/2004 9:39 PM, Craig wrote:

Quote:

I agree with all you, kinda.
Ultimately Joe is absolutely correct, if its been seen it's on the computer.
You seem to be protecting something worthy of the Pentagon - which has been
hacked, so why bother?
If you want the simplest solution, its your own - disassociate the record
and file name. But is it worth it? Will you remember what's associated with
what?

Craig


"omegaskl" <omegaskl (AT) BLOCK (DOT) comcast.net> wrote in message
news:ddqdnfX234TSb2bdRVn-vA (AT) comcast (DOT) com...

So what you are saying is that I can put them in the same folder that my
database resides (outside html root) and use a script to delver the
images? That sounds cool.

Right now, I am using IIS, Access and VB Script. I authenticate the user
using Dreamweavers Login User Server Behavior.

What I have seen other sites do is just name the image being served a
random string, such as GhJuY67.jpg. That would make it real difficult
for people to guess that image A goes with database record A. I am
willing to do that as well if your method is not possible.

Steve

On 7/19/2004 9:24 AM, Michael Fesser wrote:


.oO(omegaskl)



I plan to use a database to store the path of an image so that I can
dynamically show an image to an authorized user that has logged in.
[...]
Is it possible to store the images outside of the root, like you would
store a database?


No, images have to be accessible via an URL, i.e. they have to be stored
somewhere under the document root. A browser has no direct access on
files that are stored outside, you need a script for streaming the file.



I do not want to store the image in the database. So, is my only
solution to just put the images inside the html root and then hope
people do not guess the name of other images?


No. Put them somewhere on the server outside the document root and use a
script for delivery (of course the script has to be accessible with a
browser). The script checks if the user is authenticated and then sends
the requested image.

For more informations or hints you have to post some more details (what
server, database, what server-side scripting language ...).

Micha

.oO(omegaskl)

Quote:

So what you are saying is that I can put them in the same folder that my
database resides (outside html root)

For example.

Quote:

and use a script to delver the
images? That sounds cool.

Right now, I am using IIS, Access and VB Script.

Hmm, don't know about VB, I use PHP. The streaming-script is accessible
with an URL and is able to read files on the server directly through the
filesystem. It reads the requested file and passes it through to the
browser.

Currently I use this for a download script to count how often a file has
been downloaded. The idea is the same.

Quote:

What I have seen other sites do is just name the image being served a
random string, such as GhJuY67.jpg. That would make it real difficult
for people to guess that image A goes with database record A.

True, but it's still "security by obscurity", I wouldn't rely on that if
other methods are possible.

Micha